2012 was an "exciting" year for OS X security—at least if you're a security expert or researcher. There were plenty of events to keep people on their toes. Although Apple took some egg on the face for some of them, overall, the company came out ahead when it came down to keeping users safe.

At least that's the opinion of some security researchers who followed OS X developments throughout the year.

The incident sparked plenty of hemming and hawing about the end of "security through obscurity" for Apple. Researchers and pundits alike argued that Apple's continued popularity could only lead to more attacks on security, whether they occur on iOS or the Mac. Indeed, it's hard to deny that malicious attacks on Mac users are increasing in frequency, and Apple did take some flak for talking a big security game for so long while simultaneously leaving open a Java hole for two whole months after it was first patched by Oracle.

Removal of Java

But despite this stumble, the Flashback fiasco was the catalyst for one of the most meaningful decisions Apple made in order to beef up OS X security.

"Flashback both led to Apple removing Java from their default installs, and prompted them to release a dedicated cleanup tool," security researcher (and former security engineer for Obama for America) Ben Hagen told Ars. "When an OS vendor releases a dedicated cleanup tool, you know things are bad."

Hagen pointed out the need existed for Apple to release its own Flashback cleanup tool because the Mac anti-malware market and user base "is relatively immature." But the bigger decision to come out of Flashback was to reduce the role of Java in OS X users' lives as much as possible, unless the user specifically installs it.

"The removal of Java was a very interesting decision and de facto statement by Apple. Java on user systems has become a notorious vector for exploitation; with new, remotely executable vulnerabilities coming out several times last year," Hagen said. "Removing Java both simplifies Apple’s position and provides a safer default state for its users."

Noted (and notorious) Mac and iOS "hacker" Charlie Miller agreed with this assessment, going so far as to say it was the most significant decision Apple made in 2012.

"Nowadays, the amount of effort required to write an exploit for OS X is roughly the same as that for writing one for Windows. Because of the bigger payoff for Windows exploits (more users) there are almost no OS X exploits in the real world. But the exception is for Java exploits," Miller told Ars. "For Java applet sandbox escape type exploits, the same exploit will work on Windows and OS X."

Miller credited Java for practically the entire reason we're actually seeing exploits that affect Mac users pop up in the wild. "Therefore, anything Apple does to reduce Java's install base in OS X is a security gain that still gives them some real life improvements," he said.

Movement to signed security model for apps

But even as Flashback was going down and Java was on the way out, Apple was already in the process of making some other major changes to the way users interact with apps on the Mac. A new feature in Mountain Lion, released in the summer of 2012, would (by default) restrict the origin of third-party apps installed on the system, therefore protecting the user from inadvertently installing apps from malicious or unknown sources.

Called Gatekeeper, this feature required Apple's developer ecosystem to either sign their apps with a registered certificate—holding them at a higher level of responsibility for when things go haywire—or selling their wares through the Mac App Store and giving Apple its 30 percent cut. The reaction from the developer community was surprisingly non-panicked, with most telling us they were cautiously optimistic about the level of control still given to users, should they opt to throw caution to the wind and install any apps they please.

And when we followed up with Mac developers several months later, they remained largely positive about the effect of Gatekeeper on both the app ecosystem and users. "I think GateKeeper is a huge boon to end users—it’s effective against man-in-the-middle and masquerade attacks, and the latter is a very common vector for malware," Delicious Monster's Wil Shipley told Ars in September. Iconfactory's Craig Hockenberry agreed: "I definitely think that GateKeeper is helping end users. I know that whenever I click on a download link and see that the developer hasn't signed their app, I think twice about installing it."

Indeed, the overall sentiment around Gatekeeper has been more positive than some of us expected, and security experts appear to be happy about how smoothly it has gone so far.

"From a security perspective, Apple’s continued movement towards the App Store for OS X and the addition of a strict signed security model for applications was a significant move toward a more controlled ecosystem," Hagen told Ars this week. "The curated App Store model lets Apple provide some quality control and sight over which applications are available to end users. It also goes pretty far in limiting user exposure to malware in the form of user-downloaded applications (Fake AV applications, spyware, and the like)."

Just in time for a high-profile "hack"

Flashback, the eventual removal of Java, and the launch of Mountain Lion weren't the only security-related topics that rippled out from the Mac-using world in 2012. The August "hack" of Wired editor Mat Honan made huge headlines not just for its magnitude—Honan's iPhone, iPad, and Mac were entirely wiped out by remote attackers, and he failed to make a backup—but also because of what technologies were involved. Namely, Apple technologies—ones that were all associated with Apple's newest version of its cloud services, iCloud.

It wasn't entirely iCloud's fault. Amazon was involved too, and the attackers were able to socially engineer both Amazon and Apple into giving them the kind of access they needed in order to destroy Honan's digital life.

So what does this have to do with Apple, really? The company wasn't directly involved in the erasure of Honan's data, but as Hagen pointed out, the incident was significant in 2012 because it "highlighted both social flaws in several well-known online account systems, and used Apple’s iCloud as a liability."

By compromising Honan's iCloud account, his devices became vulnerable to a remote-wipe attack. "This is a new problem for many consumers; a failure to protect one of their online accounts, can lead to their own devices actually becoming 'useless,'" Hagen told Ars. "This attack highlighted the need for Apple and other organizations to protect account access from social attacks, and the need for individuals to treat their Apple accounts with extra sensitivity."

Indeed, Honan's hack caused many of us—geeks, "regulars," and reporters alike—to change our passwords, set up two-factor authentication, and ensure we had solid backup plans in ways we only talked about previously. Both Amazon and Apple ended up changing their policies to prevent similar attacks in the future as well. This one doesn't have a particularly happy ending, but Honan's loss is our gain, at least when it comes to being security-minded.

Looking to 2013

So 2012 was a volatile year for Apple and OS X security, but overall, "I think [Apple's] in pretty good shape," Miller told Ars.

But as with most things, there's always room for improvement. What should happen to the OS X landscape as we move forward into 2013?

Miller wants to see more transparency out of Apple. "One thing I'd like to see is more transparency and interaction with the security community. Their BlackHat talk where they didn't take questions was a bit of a farce," Miller said. "I'd like to see them communicate more with how they do their testing, how the App Store review process works, answer questions about their security, etc."

Indeed, transparency and Apple are usually two words that can't show up in a sentence together, but Apple CEO Tim Cook has slowly (and carefully) begun changing things when it comes to Apple being open with the world. But what Hagen wants to see goes beyond just talking about what Apple is doing—he wants to see the community itself step up to take responsibility for its own security as well.

"I think the AV/Anti-Malware offerings for OSX will need to mature quickly in order to meet near-term threats. Microsoft's route of branding their own offering was great for the end user, it would be great if Apple took a similar approach," Hagen said. "The unification of App Store and system updates simplifies things; OSX users will need to get in the habit of applying updates in a timely manner."

78 Reader Comments

I wonder why Microsoft hasn't been covered just as much as Apple when it comes to security? Android typically gets a free pass too, although Ars has been covering both, so I give them credit for cleaning up their act. Nonetheless, security probably isn't Apple's biggest worries--I reckon feature-parity Android is more worrisome for them.

I wonder why Microsoft hasn't been covered just as much as Apple when it comes to security? Android typically gets a free pass too, although Ars has been covering both, so I give them credit for cleaning up their act. Nonetheless, security probably isn't Apple's biggest worries--I reckon feature-parity Android is more worrisome for them.

Not a whole lot has happened on the Microsoft front regarding security: countless viruses exist and have existed on Windows for years, both high- and low-profile. I don't agree that there's a need for Microsoft coverage to the same degree.

It was my understanding that Apple already has their own anti-virus / anti-malware system baked into the OS in the form of XProtect? (http://support.apple.com/kb/HT3662) Apple being Apple, they don't advertise it and it's invisible to the user, but functionally it serves the same purpose - preventing execution of and removing files known to be harmful.

Stuxnet and Flame got plenty of coverage in my opinion. But if a virus installs itself through users turning off UAC, or users logging in with an Administrator account, or not having AV installed in the first place, then it really doesn't count. Same way I wouldn't blame Apple for their users carelessness.

It was my understanding that Apple already has their own anti-virus / anti-malware system baked into the OS in the form of XProtect? (http://support.apple.com/kb/HT3662) Apple being Apple, they don't advertise it and it's invisible to the user, but functionally it serves the same purpose - preventing execution of and removing files known to be harmful.

Sort of. It's a strictly signature-based anti-malware solution, for which signatures are now updated as needed rather than with the next point update/security update.

Strictly by the definition, there haven't been viruses for Macs since the nineties, but I suspect that we have lost the battle of what is and isn't a virus. This is all marketing, of course - a virus sounds like something you are bound to catch, sooner or later, through no fault of your own. A trojan horse is something someone tricked you into letting in. It's much easier to sell you protection for a virus.

I wonder why Microsoft hasn't been covered just as much as Apple when it comes to security? Android typically gets a free pass too, although Ars has been covering both, so I give them credit for cleaning up their act. Nonetheless, security probably isn't Apple's biggest worries--I reckon feature-parity Android is more worrisome for them.

Melissa, iloveyou, nimba, blaster. When there are major Windows viruses they are covered by the major news outlets. The problem with Apple viruses is that no one wants to admit that OS X isn't any safer than any other OS.

One of my favourite features of Windows 8 is the integrated antivirus that literally works out of the box. No setup or configuration required and it's 99% invisible to the user. I'd fully expect Apple to develop their own AV system that's just as seamlessly integrated into OS X soon.

One of my favourite features of Windows 8 is the integrated antivirus that literally works out of the box. No setup or configuration required and it's 99% invisible to the user. I'd fully expect Apple to develop their own AV system that's just as seamlessly integrated into OS X soon.

The Sad thing I saw this week was (surprise) in a Best Buy. I had a gift card to spend and while I was in line I watched them sell some lady a $50 copy of some packaged antivirus to go with her brand new Win8 laptop. I've been known to butt in on these sorts of things when I see someone browsing the wares and considering such a purchase but this was a long line and they were already finishing upnthe sale. Not like one nosy dude is gonna make a difference anyway. Still, it bums me out that people are still buying that stuff. Built-in (or just safe browsing and MSE on older setups) should be just as good for the home user.

Glad to see Apple doing their part to stop the most common vectors as well. Nobody will ever wipe out all malware but it helps to include basic precautions by default.

I wonder why Microsoft hasn't been covered just as much as Apple when it comes to security? Android typically gets a free pass too, although Ars has been covering both, so I give them credit for cleaning up their act. Nonetheless, security probably isn't Apple's biggest worries--I reckon feature-parity Android is more worrisome for them.

Not a whole lot has happened on the Microsoft front regarding security: countless viruses exist and have existed on Windows for years, both high- and low-profile. I don't agree that there's a need for Microsoft coverage to the same degree.

Exactly - when Windows makes claims to security superiority through design only to have their security breached because of flawed design ... then they can get the same amount of flack for touting their own horn.

The thing here is that Mac (and their users) used it as a high and mighty finger wag at PC when their own security was not only flawed, but relatively untested - and therefore failed when attacks were made.

I wonder why Microsoft hasn't been covered just as much as Apple when it comes to security? Android typically gets a free pass too, although Ars has been covering both, so I give them credit for cleaning up their act. Nonetheless, security probably isn't Apple's biggest worries--I reckon feature-parity Android is more worrisome for them.

Um, android gets a free pass? Have you noticed the articles on this very site highlighting the failure of bouncer, their built in av in 4.2, etc? At least 3 articles came out this year alone on android malware.

Um, android gets a free pass? Have you noticed the articles on this very site highlighting the failure of bouncer, their built in av in 4.2, etc? At least 3 articles came out this year alone on android malware.

I was saying in general. Ars Technica does a great job of covering everyone pretty well, but less technically inclined news outlets might not.

The problem with Apple viruses is that no one wants to admit that OS X isn't any safer than any other OS.

But it is.

How many people have had their Mac owned in the last week? About zero.

How many people on windows? Tens of thousands.

You can talk about security theory all you want, but it's the real world numbers that actually matter. If PC's are taken over infinity times more than Macs, then Macs are more secure than PC's. You can argue that they aren't, but they are, so you're wrong. Right?

I wonder why Microsoft hasn't been covered just as much as Apple when it comes to security? Android typically gets a free pass too, although Ars has been covering both, so I give them credit for cleaning up their act. Nonetheless, security probably isn't Apple's biggest worries--I reckon feature-parity Android is more worrisome for them.

Not a whole lot has happened on the Microsoft front regarding security: countless viruses exist and have existed on Windows for years, both high- and low-profile. I don't agree that there's a need for Microsoft coverage to the same degree.

Of course, for WinXP there may be countless virueses, maybe. How many of those are active. How many are active on Win7, or Win8? Do you have numbers to back up your "countless" claim?

One of my favourite features of Windows 8 is the integrated antivirus that literally works out of the box. No setup or configuration required and it's 99% invisible to the user. I'd fully expect Apple to develop their own AV system that's just as seamlessly integrated into OS X soon.

The problem with Apple viruses is that no one wants to admit that OS X isn't any safer than any other OS.

But it is.

How many people have had their Mac owned in the last week? About zero.

How many people on windows? Tens of thousands.

You can talk about security theory all you want, but it's the real world numbers that actually matter. If PC's are taken over infinity times more than Macs, then Macs are more secure than PC's. You can argue that they aren't, but they are, so you're wrong. Right?

Where are your real world numbers? Surely you have sources for your claims.

I wonder why Microsoft hasn't been covered just as much as Apple when it comes to security? Android typically gets a free pass too, although Ars has been covering both, so I give them credit for cleaning up their act. Nonetheless, security probably isn't Apple's biggest worries--I reckon feature-parity Android is more worrisome for them.

It would be nice to know how many win viruses there are. At a guess there may be a couple if hundred for win 7, much less for win 8 but >100,000 for xp which still accounts for a large proportion of the windows install. A friend still uses it very day. When we look at other os's there are few or zero. Malware is not at virus, anyone who can, can write a program to do a lot of damage and call it anything.

It was my understanding that Apple already has their own anti-virus / anti-malware system baked into the OS in the form of XProtect? (http://support.apple.com/kb/HT3662) Apple being Apple, they don't advertise it and it's invisible to the user, but functionally it serves the same purpose - preventing execution of and removing files known to be harmful.

Sort of. It's a strictly signature-based anti-malware solution, for which signatures are now updated as needed rather than with the next point update/security update.

Are you sure? According to the linked KB article, it also scans for malware.

I wonder why Microsoft hasn't been covered just as much as Apple when it comes to security? Android typically gets a free pass too, although Ars has been covering both, so I give them credit for cleaning up their act. Nonetheless, security probably isn't Apple's biggest worries--I reckon feature-parity Android is more worrisome for them.

It's kinda like the town's whore vs the town's virgin analogy:

The town's whore sleeps with four guys at the same time. The people's response? Meh.The town's virgin is holding hands with a guy at the park in broad daylight. The people's response? This is an outrage! What a horrifying image! The town's reputation has been tarnished forever!

The problem with Apple viruses is that no one wants to admit that OS X isn't any safer than any other OS.

But it is.

How many people have had their Mac owned in the last week? About zero.

How many people on windows? Tens of thousands.

You can talk about security theory all you want, but it's the real world numbers that actually matter. If PC's are taken over infinity times more than Macs, then Macs are more secure than PC's. You can argue that they aren't, but they are, so you're wrong. Right?

I hope you realize that most malware infections, regardless of OS, are due to social engineering. If people would just check the url of a link before clicking on it, the number of malware infections would be stopped in their tracks. The percentage of "stupid users" is probably just as high for Mac users as it is for Windows users.

I wonder why Microsoft hasn't been covered just as much as Apple when it comes to security? Android typically gets a free pass too, although Ars has been covering both, so I give them credit for cleaning up their act. Nonetheless, security probably isn't Apple's biggest worries--I reckon feature-parity Android is more worrisome for them.

Because they are Very good with security right now. After all they went through with XP, fixing them in Vista, and more improvement in 7.

There used to be a myth about security would bring overhead and generally slow down the computer as we have seen in Vista. Then 7 sort of debunk that. And 8 shows it can be securer and faster at the same time., ( Just shows we have been living with inefficient Windows Core for quite a long time, )

Now it is Apple's turn to do the same. I hope it wont take that long though. But it is good Apple has its attention on security, at least before anything like XP has happen to them.

It was my understanding that Apple already has their own anti-virus / anti-malware system baked into the OS in the form of XProtect? (http://support.apple.com/kb/HT3662) Apple being Apple, they don't advertise it and it's invisible to the user, but functionally it serves the same purpose - preventing execution of and removing files known to be harmful.

Sort of. It's a strictly signature-based anti-malware solution, for which signatures are now updated as needed rather than with the next point update/security update.

Are you sure? According to the linked KB article, it also scans for malware.

Depends. Last I read it updates itself every so often. If it updates each day and checks every single file upon read, it would work just like MS's solution.

But as far as I'm concerned, ever a/v solution out there has missed stuff and I've found MS essentials along with everyone else compromised/disabled upon infection. YMMV.

I hope you realize that most malware infections, regardless of OS, are due to social engineering. If people would just check the url of a link before clicking on it, the number of malware infections would be stopped in their tracks. The percentage of "stupid users" is probably just as high for Mac users as it is for Windows users.

That pretty much sums it up right there. In that respect, I can't blame many corporate IT departments for keeping systems locked down.

Sure, there are more issues directed at Windows, but that's purely due to market share. Microsoft, to their credit, has vastly improved from the bad old days.

With more activity moving online, the major concern in the future probably won't be the desktop OS, it will be the the browser and the Web.

Of course, it's easier said than done, but common sense is the best policy!

The problem with Apple viruses is that no one wants to admit that OS X isn't any safer than any other OS.

But it is.

How many people have had their Mac owned in the last week? About zero.

How many people on windows? Tens of thousands.

You can talk about security theory all you want, but it's the real world numbers that actually matter. If PC's are taken over infinity times more than Macs, then Macs are more secure than PC's. You can argue that they aren't, but they are, so you're wrong. Right?

Nevermind that Mac is itty bitty tiny compared to Windows or that many Windows users run outdated and unprotected software (when was the last time you met someone running the original OSX?).

I wonder why Microsoft hasn't been covered just as much as Apple when it comes to security? Android typically gets a free pass too, although Ars has been covering both, so I give them credit for cleaning up their act. Nonetheless, security probably isn't Apple's biggest worries--I reckon feature-parity Android is more worrisome for them.

Melissa, iloveyou, nimba, blaster. When there are major Windows viruses they are covered by the major news outlets. The problem with Apple viruses is that no one wants to admit that OS X isn't any safer than any other OS.

Again, there are no viruses for OSX. Social engineered malware, yes, viruses no.

One of my favourite features of Windows 8 is the integrated antivirus that literally works out of the box. No setup or configuration required and it's 99% invisible to the user. I'd fully expect Apple to develop their own AV system that's just as seamlessly integrated into OS X soon.

Agreed, and even on Windows 7 or prior Microsoft Security Essentials was already my favorite antivirus by far, it's so light and unobtrusive with a decent enough detection rate for anyone with some common sense (meaning morons can break anything). So baking it right into the OS and making it even less obtrusive than it already was was great news for me, no extra configuration. This should bring infection rates for new PCs even lower than Vista and 7 already did.

The problem with Apple viruses is that no one wants to admit that OS X isn't any safer than any other OS.

But it is.

How many people have had their Mac owned in the last week? About zero.

How many people on windows? Tens of thousands.

You can talk about security theory all you want, but it's the real world numbers that actually matter. If PC's are taken over infinity times more than Macs, then Macs are more secure than PC's. You can argue that they aren't, but they are, so you're wrong. Right?

Nevermind that Mac is itty bitty tiny compared to Windows or that many Windows users run outdated and unprotected software (when was the last time you met someone running the original OSX?).

Itty bitty tiny?

iOS is derived from OSX and they share the same Darwin core. They both run Safari (WebKit) too.

400+ million iOS devices (as of Sept 2012) plus 65+ million Macs (as of June 2012) is not "itty bitty tiny".

Yet we see the same malware/virus story with Android and iOS, as we do with PCs and MACs.

This entire Mac vs. Win debate is the same thing every time. no wonder there are more viruses for windows, it was more popular, why do everyone try to keep count of no. of viruses per OS?! its not a metric for OS security.Win XP was indeed unsafe a lot of the time but that was when Apple had a pretty low profile in the market share of home computers. with Macs getting more attention in the past few years you notice the emergence of Flashback. wonder why so many worms try to hijack your facebook profile? because it's so insecure? no, it's just a popular site with a big userbase.with today's Win and OSX machines it's 99% of the time the user's fault for installing dubious crap. you can't blame the OS here: you have AV warnings, UAC and user privileges which most blokes just ignore and press Run.

A lesson to be learned from the Mat Honan debacle is that while in the past it was relevant to debate security at the operating system level (as people keep trying to do in this thread), the OS is less likely to be the main focus now. Mat Honan was hacked primarily via network accounts that controlled his data. In other words, by software and services that were primarily based outside his computer. The reason this is important is that while maximum personal responsibility is rightly encouraged, Honan's story shows that you can do all you can to secure your own computer and yet still be pwned by software and services well outside your control. The only area Honan could be blamed for his lost data was where he did have control but failed to take it: he didn't maintain complete recoverable backups. But the rest of it was not really his fault, because he should not be held responsible for failures in the security practices of Amazon and Apple. It should be a lesson in how easily your automatically propagated network data stores can be set to boomerang against you (by having it set to null and letting the system propagate that back to all your devices) and how you need to keep all your key data backed up somewhere off the grid.

While some may say this also has to do with managing your passwords, again that's a side issue and a local issue only. Since the ultimate security of your password depends on the human gatekeepers of it who are far from your computer. As long as they can be socially engineered, you have no control there.

Garst wrote:

Melissa, iloveyou, nimba, blaster. When there are major Windows viruses they are covered by the major news outlets. The problem with Apple viruses is that no one wants to admit that OS X isn't any safer than any other OS.

Jeezus...people keep saying this, and still unable to list even a single virus in the wild on the Mac. Not even one.

In other words, the number of Mac viruses (by their strict definition) is not even close to the proportion of Mac market share vs Windows, so even the market share argument is hollow.

I missed it when the original 'hack' of Matt Honan's accounts occurred, and I admittedly haven't listend to the podcast, but I have to wonder if he tried photorec to recover the wiped data. It probably wouldn't work on the iOS devices, but it's great for desktop systems; I've had a lot of success recovering deleted files of all types from even reformatted/repartioned drives. It can take a long time to run depending on the size of the drive, and you might end up with some duplicates, but a very powerful tool overall.

The problem with Apple viruses is that no one wants to admit that OS X isn't any safer than any other OS.

But it is.

How many people have had their Mac owned in the last week? About zero.

How many people on windows? Tens of thousands.

You can talk about security theory all you want, but it's the real world numbers that actually matter. If PC's are taken over infinity times more than Macs, then Macs are more secure than PC's. You can argue that they aren't, but they are, so you're wrong. Right?

Nevermind that Mac is itty bitty tiny compared to Windows or that many Windows users run outdated and unprotected software (when was the last time you met someone running the original OSX?).

Itty bitty tiny?

iOS is derived from OSX and they share the same Darwin core. They both run Safari (WebKit) too.

400+ million iOS devices (as of Sept 2012) plus 65+ million Macs (as of June 2012) is not "itty bitty tiny".

Yet we see the same malware/virus story with Android and iOS, as we do with PCs and MACs.

Why do you bring up iOS, and 65+ million Macs is still little compared to Windows hundreds and hundreds of millions. You can't compare them by numbers alone.